We have the web based form login authentication with j_securtiy_check
working. We'd like to change it by programmatic login authentication. What is the proper way of having a servlet authenticate a user name and password passed to it? The servlet is obviously unprotected.
We have been experimenting with this server.xml Realm:
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="UserDatabase"
userTable="app_user" userNameCol="login_name" userCredCol="password_value"
userRoleTable="user_perm" roleNameCol="permission_name"
allRolesMode="authOnly" digest="MD5"
/>
The reason for this, is that we have a java webstart client that sends login information to an unprotected loginServlet. This servlet currently authenticates against a JOSSO single sign-on service but I wish to remove this and use simple tomcat7 authentication for starters. Then eventually migrate to OpenAM. If I could programmatically generate the JSSESSIONIDSSO value and stuff this into a cookie.
This is some code that I found. Is this the right way to invoke authentication?
ApplicationContextFacade acf = (ApplicationContextFacade) this.getServletContext();
Field privateField = ApplicationContextFacade.class.getDeclaredField("context");
privateField.setAccessible(true);
ApplicationContext appContext = (ApplicationContext) privateField.get(acf);
Field privateField2 = ApplicationContext.class.getDeclaredField("context");
privateField2.setAccessible(true);
StandardContext stdContext = (StandardContext) privateField2.get(appContext);
Realm realm = stdContext.getRealm();
Principal principal = realm.authenticate(loginBean.getUsername(), loginBean.getPassword());
if (principal == null)
{
return 0;
}
GenericPrincipal genericPrincipal = (GenericPrincipal) principal;
System.out.println ("genericPrincipal=" + genericPrincipal.toString());
I think in Java webstart client app, when you need to ask authentication, you just use any HTTP client to sent userName, password to your LoginServer using POST method. In loginServlet, you use request.login ( userName, password ) then return authentication result in any format ( XML, JSON). At client side, you have to parse authentication result ( POST result ) and JSESSIONID cookie from response header too. For subsequent requests, you may have to send JSESSIONID that you parsed before.
I wanted to follow up on this.
There really isn't a simple answer.
The code at the end uses pure reflection to attempt to call the authenticate method within the realm. The problem is that this really depends on the realm attached.
JOSSO (org.josso.tc55.agent.jaas.CatalinaJAASRealm) for example doesn't have this method. Instead it has something called createPrincipal(String username, Subject subject). Their suggested process for doing this (for at least josso 1.5) is to use code like this:
If you use OpenAM (which is what I'm attempting to move to) as your single sign on provider instead of JOSSO, it is completely different. The current idea I am going with is to use a RESTful service they provide directly from the webstart client.
My first issue with that idea - is trying to find an API that I can use from the webstart java client that 1) Doesn't have a huge jar file size, 2) works with tomee+ CXF version 2.6.4. (I don't know enough about this to say, "yes just use the CXF 3.0 client jars as they will work fine with tomee+'s version of CXF...")
Anyhow here is the code that 'should' work if you use Tomcat7's canned datasource mechanisms for setting up a realm.
Again, this is if you find yourself trying to authenticate a user from within an unprotected servlet.
-Dennis
If you're already on Servlet 3.0 or newer, for programmatic authentication use
login()
method ofHttpServletRequest
.Servlet API provides you
login()
andlogout()
methods for programmatic access to container managed security.I noticed that this is no longer up to date. The final solution was to use the Java SDK that OpenAM provides.
This is the starting point: http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-jdk.html
1) add all of the jar files that come with this SDK to your web application. 2) Change your servlet (or heavy client) to have the following code:
The important thing from the above code is the variable openAMSessionId . That ends up having the new OpenAM single sign on session id that you can pass around to all of your protected client applications so that the user doesn't get challenged for login.
I hope this helps.
-dklotz